Configuration Manager and OSD with a side of PowerShell

Menu

If you are already managing your Windows 10 systems (currently 1607 and below) with System Center Configuration Manager, then chances are you might want to prevent certain users from also being able to “Check online for updates from Microsoft Update.” before you have had a chance to fully test the latest cumulative update or feature update. Unfortunately, when users go into Settings > Update & security they will see a Check for updates button and below that, a Check online for updates from Microsoft Update link.

By clicking that link, it will bypass System Center Configuration Manager and go directly to Microsoft Update to see what the latest updates are available and start installing them once they download. One way that you can prevent this from happing is to enable the Group Policy setting: Do not connect to any Windows Update Internet locations:

If you enable this setting, you will not only disable the ability to check online for updates from Microsoft Update, but you will also disable the ability to install software from the Windows Store. Now if you have not started using the Windows Store yet, then this might not be a problem. Also, this policy is only effective if the Specify intranet Microsoft update service location policy is set (which it should be if you are using System Center Configuration Manager for Software Updates):

Once enabled, the Check online for updates from Microsoft Update link will disappear:

Hopefully we will see an option in the future that will allow for the ability to disable this link without disabling the ability to install apps from the Windows Store.

This does not seem to work for me with Win10 1607 LTSB. I have Specify intranet Microsoft update service location enabled for SCCM, but when I also enable Do not connect to any Windows Update internet Locations, the Check online for updates from Microsoft Update link remains. Even after a GPUpdate force and or reboot. Have you come across any other methods for removing this link from 1607?

No, and I mention that in bold in the blog: “If you enable this setting, you will not only disable the ability to check online for updates from Microsoft Update, but you will also disable the ability to install software from the Windows Store.” It is a catch-22 until the later version of Windows 10.

We want to create the follow settings:
-. Updates are distributed through SCCM/WSUS
-. The user can’t check online for Microsoft updates.
-. Windows Store needs to work
-. Drivers must be installed if new hardware is pluged in.

Hi Henk,
Windows 10 1703 has this option:
Remove access to use all Windows Update features
By enabling the Group Policy setting under Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features, administrators can disable the “Check for updates” option for users. Any background update scans, downloads and installations will continue to work as configured.https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings

I have not tested it yet, but it sounds like it should work and achieve what you are trying to do.
-Mike

The “Turn Off Access To All Windows Update Features” setting will also prevent Windows Defender/SCEP/FEP from searching the Microsoft Update URL for definitions. Automatic updating from MMPC and internal sources will continue to work as they are defined by this group policy setting: “Define the order of sources for downloading definition updates”

Tom, Could you confirm that “Turn Off Access To All Windows Update Features” in conjunction with MMPC as your default source of Defender/SCEP signature definitions, allowed you to continue to receive AV signature updates? Were there any other side effects of this configuration to consider? Thanks.